Join Early Retirement Today
Reply
 
Thread Tools Display Modes
Novel and scary phone scam
Old 03-06-2019, 10:27 AM   #1
Thinks s/he gets paid by the post
 
Join Date: Nov 2013
Posts: 1,031
Novel and scary phone scam

I posted this in another thread but wanted to highlight the scam in a new thread to make more people aware... Sorry for double posting if you've already read it.

A colleague of mine told me a scary story today. He was part of the equifax breach a year or two ago. Apparently his username for his online bank was compromised. They somehow also got his cell phone number, don't know if that was from the breach or if they had to look it up.

Yesterday while in a noisy restaurant he got a phone call from his bank (spoofed caller ID) and they told him that they were looking at what appeared to be fraudulent charges on his account. They asked him to verify a few transactions (all made up of course and none matched anything he'd purchased recently). Since there were several phony charges on the account they told him that his account had been compromised and that they would have a new card sent out to him via fedex. In order to validate his identity/transaction they asked him to repeat a code they'd send him via text.

The text came through from his bank and he repeated the number back to them. They confirmed it and said they'd ship a new card immediately.

Once my colleague came home he checked his account - his password did not work anymore. He reset the password thinking that it was part of the fraudulent charges. He set a new password and got the double verification text from his bank and noticed that a few thousand dollars had been withdrawn via wire earlier in the evening.

Apparently their "verification" for sending a new card was for the forgotten password link verification on the website for setting up a new password. Once logged in they started transactions out of the account, starting in $100 increments and then $1,000 transactions.

He was immediately refunded half of the amount but is now working with the bank to get the rest back.

I thought that the text verification was a pretty secure alternative, but as the scammers get more and more sophisticated this could become a large problem. Especially for older folks...
NgineER is offline   Reply With Quote
Join the #1 Early Retirement and Financial Independence Forum Today - It's Totally Free!

Are you planning to be financially independent as early as possible so you can live life on your own terms? Discuss successful investing strategies, asset allocation models, tax strategies and other related topics in our online forum community. Our members range from young folks just starting their journey to financial independence, military retirees and even multimillionaires. No matter where you fit in you'll find that Early-Retirement.org is a great community to join. Best of all it's totally FREE!

You are currently viewing our boards as a guest so you have limited access to our community. Please take the time to register and you will gain a lot of great new features including; the ability to participate in discussions, network with our members, see fewer ads, upload photographs, create a retirement blog, send private messages and so much, much more!

Old 03-06-2019, 10:40 AM   #2
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
pb4uski's Avatar
 
Join Date: Nov 2010
Location: Sarasota, FL & Vermont
Posts: 36,266
You are right.... that is a scary one... I can see people easily falling for that one... possibly even me.
__________________
If something cannot endure laughter.... it cannot endure.
Patience is the art of concealing your impatience.
Slow and steady wins the race.

Retired Jan 2012 at age 56
pb4uski is offline   Reply With Quote
Old 03-06-2019, 10:56 AM   #3
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
 
Join Date: Jun 2016
Location: Colorado
Posts: 8,971
I set up email alerts on transactions in my account. I would have gotten an email as soon as the first transaction took place.
COcheesehead is offline   Reply With Quote
Old 03-06-2019, 11:03 AM   #4
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
ExFlyBoy5's Avatar
 
Join Date: May 2013
Location: ATL --> Flyover Country
Posts: 6,649
Quote:
Originally Posted by COcheesehead View Post
I set up email alerts on transactions in my account. I would have gotten an email as soon as the first transaction took place.
Same here, but for a wire to have gone through...wow. That could create quite the pain.

The last few wires I have done, I have had to speak to someone on the phone to do the verification and it seems like the process to do so was fairly secure.

Nonetheless, thanks for the heads up...that is pretty sophisticated.
__________________
FIRE'd in 2014 @ 40 Years Old
Professional Retiree
ExFlyBoy5 is offline   Reply With Quote
Old 03-06-2019, 11:08 AM   #5
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
 
Join Date: Jun 2016
Location: Colorado
Posts: 8,971
Quote:
Originally Posted by ExFlyBoy5 View Post
Same here, but for a wire to have gone through...wow. That could create quite the pain.

The last few wires I have done, I have had to speak to someone on the phone to do the verification and it seems like the process to do so was fairly secure.

Nonetheless, thanks for the heads up...that is pretty sophisticated.
I need to wire funds for a RE transaction soon. My broker said to do everything verbally. He said if you communicate routing numbers, etc in an email, hackers will catch it and change the destination numbers so that you could end up wiring money to the bad guys. He says he has seen it at least twice.
COcheesehead is offline   Reply With Quote
Old 03-06-2019, 11:19 AM   #6
Recycles dryer sheets
 
Join Date: Jan 2014
Posts: 170
The OP's description made me think it was related to the SS7 hack on text message systems. This type of Multi-Factor authentication is no longer "secure" since the SS7 Network was hacked a few years ago.

Known as the SS7 network, the SS7 network is shared by every telecom provider to manage calls and texts between phone numbers. There are a number of well known SS7 vulnerabilities.

Click on this link to read the full story of this hack.
SS7 Hack

.
DatumPoint5 is offline   Reply With Quote
Old 03-06-2019, 11:23 AM   #7
Thinks s/he gets paid by the post
 
Join Date: Nov 2011
Posts: 3,877
There's no hacking needed for this scam to work. I'd explain how but that would teach more scammers.
GrayHare is offline   Reply With Quote
Old 03-06-2019, 11:34 AM   #8
Thinks s/he gets paid by the post
Tadpole's Avatar
 
Join Date: Jul 2004
Posts: 1,428
It struck me that this is exactly the procedure Bank of America has used in the past when they wanted to change my credit card number to forestall a breach when they believed my name was part of a stolen data base. They called and told us to expect a new card in the mail. My husband doesn't remember if they asked for a verification but I imagine that they do today since they now use verification codes on their logins. My husband keeps the phone they would call and he would have just assumed it was the same as a couple of times in the past. I read the OP's post to him.
Tadpole is offline   Reply With Quote
Old 03-06-2019, 11:41 AM   #9
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
audreyh1's Avatar
 
Join Date: Jan 2006
Location: Rio Grande Valley
Posts: 38,008
Wow that is tricky! I probably would have fallen for it with a spoofed number. I’ve been called about fraudulent charges before, but never asked for a code!

It seems you would need someone talking to the bank at the same time another talked to the victim. Coordinated, next to each other or texting.

It’s phishing, not hacking, if they already had the username. They just needed that verification code sent by the bank. And this was a clever way to get the victim to give it to them.
__________________
Retired since summer 1999.
audreyh1 is offline   Reply With Quote
Old 03-06-2019, 11:46 AM   #10
Recycles dryer sheets
 
Join Date: Oct 2011
Posts: 107
A good reminder to thank the 'helpful' caller for the information and letting them know that you will call your bank/credit card/brokerage directly to verify the issue.

I will share this latest scam warning with DW and kids.
Omalley is offline   Reply With Quote
Old 03-06-2019, 11:48 AM   #11
Thinks s/he gets paid by the post
 
Join Date: Nov 2013
Posts: 1,031
Quote:
Originally Posted by audreyh1 View Post
Wow that is tricky! I probably would have fallen for it with a spoofed number. I’ve been called about fraudulent charges before, but never asked for a code!

It seems you would need someone talking to the bank at the same time another talked to the victim. Coordinated, next to each other or texting.

It’s phishing, not hacking, if they already had the username. They just needed that verification code sent by the bank.
No-you they don't need to talk to someone at the bank - they just hit the forgot password button and the request for verification via text was sent automatically to my colleagues phone to verify his identity. He then told the scammer the code and they used it to reset the password and start withdrawing money.
NgineER is offline   Reply With Quote
Old 03-06-2019, 11:54 AM   #12
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
REWahoo's Avatar
 
Join Date: Jun 2002
Location: Texas: No Country for Old Men
Posts: 50,004
The last time I got one of these notifications of possible CC fraud from my bank it was a text message asking me to verify a charge. This incident tells me if I get a future notification by phone or text I should always call the bank myself, using a number I know is correct.
__________________
Numbers is hard
REWahoo is offline   Reply With Quote
Old 03-06-2019, 11:58 AM   #13
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
audreyh1's Avatar
 
Join Date: Jan 2006
Location: Rio Grande Valley
Posts: 38,008
Quote:
Originally Posted by NgineER View Post
No-you they don't need to talk to someone at the bank - they just hit the forgot password button and the request for verification via text was sent automatically to my colleagues phone to verify his identity. He then told the scammer the code and they used it to reset the password and start withdrawing money.
Well that’s true.
__________________
Retired since summer 1999.
audreyh1 is offline   Reply With Quote
Old 03-06-2019, 12:04 PM   #14
Thinks s/he gets paid by the post
 
Join Date: Jan 2006
Posts: 4,172
Quote:
Originally Posted by NgineER View Post
No-you they don't need to talk to someone at the bank - they just hit the forgot password button and the request for verification via text was sent automatically to my colleagues phone to verify his identity. He then told the scammer the code and they used it to reset the password and start withdrawing money.
I was wondering how a real code could be sent by the scammer.......so I guess the bold above is the heart of the matter which perhaps you should emphasize in the future. Yes, thanks for posting.
kaneohe is offline   Reply With Quote
Old 03-06-2019, 12:05 PM   #15
Thinks s/he gets paid by the post
Cut-Throat's Avatar
 
Join Date: Jan 2007
Location: Minneapolis
Posts: 1,172
Texting is for 14 year olds ...... avoid it.


I know, 'It's so easy and convenient and fast' ..... And you're right, especially for the scammers....
Cut-Throat is offline   Reply With Quote
Old 03-06-2019, 12:15 PM   #16
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
ivinsfan's Avatar
 
Join Date: Feb 2007
Posts: 9,953
So my rule for this is don't talk to anybody about anything financial in a crowd or while driving or when trying to multitask.....it's too easy to make a mistake.

Hang up and call the financial institution in question...there's no downside to doing this. In my case I use a regional/local bank and have for 40 years I probably know just about everyone working there.... ..it's too bad it's come to this level of paranoia.. but it pays to be paranoid....

and I conduct all my financial business on my at home desktop...it's another level of security. Went I got my last desktop and logged on to the bank I deliberately did not check the "remember this computer" button and answer a different challenge question every time I log on to my account. the only alerts I have sent to my phone are activity alerts...and just to be really careful I don't use a debit card, I don't even have one activated. It's not that hard to use CC and printed checks once in awhile.
ivinsfan is offline   Reply With Quote
Old 03-06-2019, 12:17 PM   #17
Thinks s/he gets paid by the post
 
Join Date: Jul 2015
Location: Beaverton
Posts: 1,382
I got a call like this. Hung up.
__________________
Jump in, the water's warm.
Bir48die is offline   Reply With Quote
Old 03-06-2019, 12:34 PM   #18
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
 
Join Date: Aug 2004
Location: Laurel, MD
Posts: 8,309
Quote:
Originally Posted by Tadpole View Post
It struck me that this is exactly the procedure Bank of America has used in the past when they wanted to change my credit card number to forestall a breach when they believed my name was part of a stolen data base. They called and told us to expect a new card in the mail. My husband doesn't remember if they asked for a verification but I imagine that they do today since they now use verification codes on their logins. My husband keeps the phone they would call and he would have just assumed it was the same as a couple of times in the past. I read the OP's post to him.


When my BOA debit card was hacked, they called, texted, and emailed. The call was a request to contact their fraud Dept.
__________________
...with no reasonable expectation for ER, I'm just here auditing the AP class.Retired 8/1/15.
jazz4cash is offline   Reply With Quote
Old 03-06-2019, 12:37 PM   #19
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
JoeWras's Avatar
 
Join Date: Sep 2012
Posts: 11,701
That's pretty novel, and I can see how it works.

Lesson here is when "the bank" calls, call them back. If you are in the car or restaurant, don't rush. Tell them to lock your card/account, and call back with a clear head without distractions.

I've been called by my credit card company when this happened, and the first thing they said was my account was already locked based on suspicion of fraud, so I didn't have to ask them that step. I had the ability to log in and check the transactions and work with them. I cannot tell you I called back, I don't remember. However, in the future I sure will and won't let them drive the bus.
JoeWras is offline   Reply With Quote
Old 03-06-2019, 12:43 PM   #20
Administrator
MichaelB's Avatar
 
Join Date: Jan 2008
Location: Chicagoland
Posts: 40,586
Quote:
Originally Posted by JoeWras View Post

Lesson here is when "the bank" calls, call them back. If you are in the car or restaurant, don't rush. Tell them to lock your card/account, and call back with a clear head without distractions.
This is what I do. When the CC company calls me and then says “we need to verify your identity” my response is “you called me, I’ve been identified but you haven’t”. I hang up and call back at the main contact number. It adds a bit of hassle but there is no way I’m giving any security or identity validation info to anyone without first confirming they are legit.
MichaelB is offline   Reply With Quote
Reply

Tags
phone scams, scams


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How much can a phone scam artist know from my phone number? SecondCor521 Other topics 33 03-07-2019 04:21 PM
Scam or no scam ? Moemg Other topics 20 12-01-2009 08:19 PM
A Novel Social Security Question rcsj FIRE and Money 19 12-11-2007 02:13 PM
Novel Use for Dryer Sheets GMueller Other topics 8 02-28-2007 04:37 PM

» Quick Links

 
All times are GMT -6. The time now is 02:11 AM.
 
Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2024, vBulletin Solutions, Inc.